If you haven’t heard about the massive Android security vulnerability called Stagefright, first take a look: 950 million Android phones can be hijacked by malicious text messages
Stagefright is potentially the largest security exploit in the history of consumer electronics to date. I am not one for spreading FUD (fear, uncertainty, and doubt) but in this case, that is exactly what I intend to do. Let me be clear and up front about what I think of this exploit: If you care about the security of your data, even a little, don’t use Android. And if you do, abandon it - as soon as humanly possible.
Consider the facts:
1) Stagefright is a vulnerability in the operating system itself. It can’t be patched by updating an app. Stagefright is a low-level component of the Android operating system.
2) The exploit affects all Android phones running the latest version back to 2.2 Gingerbread released in May, 2010. That means that if you use an Android phone, it’s vulnerable.
3) This exploit is easy to weaponize. All a hacker needs to do is send a file crafted to use the exploit via MMS (multimedia messaging service) to an Android phone. That’s it. And because MMS is a global standard, the Stagefright exploit could theoretically be used at scale. If having all your personal data siphoned off to the dark corners of the Internet wasn't bad enough, imagine something like a sleeper DDoS attack that uses millions of Android phones to take down cellular networks. I’m not trying to be dramatic. But it’s important to remember that when millions of devices become compromised at the root level, scenarios previously unthinkable become possible.
4) You aren’t likely to know if you have been exploited. If done right, hackers can use the exploit to prevent you from even knowing you received their MMS.
5) There is no way to patch your device. The vast majority of Android devices never receive an operating system update - ever. Due to the complexity of shipping an Android update, and the fact that Apple takes 93% of the mobile phone industry’s profit, there is no incentive for the 1300+ companies making Android devices to keep supporting them. Samsung, HTC, Motorola and others have committed to updating their flagship devices shipped in the last year. But that’s only 2.6% of all active Android devices. This makes for an interesting comparison with Apple, which provides the latest iOS updates over the air to a nearly a billion devices going back five years.
Considering the size of the target (900+ million devices) and the ease of weaponizing the exploit, you should assume organizations with the resources of a state already know about it. In fact, I think it is foolish to assume that both domestic and foreign intelligence services aren’t already using the exploit. It seems logical to me that if a private Internet security firm can discover such a vulnerability, then so can government agencies whose business it is to gather intelligence, spy, and stockpile ammunition and attack vectors for their respective cyber warfare programs. But considering the state of the Android ecosystem why wouldn’t you assume there are other yet "undiscovered" exploits? Why then, would you assume those same intelligence agencies haven’t discovered them?
It is time to have a frank discussion about Android and the unacceptable risk it poses to the security of one's data and the protection of one's privacy. For a number of years, I have maintained that something like Stagefright was only a matter of time for Android. It was destined to happen. With such a popular operating system, and with no way of updating the hundreds of millions of devices in use, Android quickly became a lightning rod for hackers, criminals, gangs, terrorists, anarchists, and spy agencies alike. At this point, one is left with a binary choice. If you care at all about security, you need an iPhone or a Blackberry. Now, more than ever, we need companies that actually care about security and fundamentally bake it into their ecosystems.
We who work in IT need to stop giving Android a free pass when it comes to security. Carrying an Android phone is like having a spy in your pocket. Google and its Android partners have blown it. They deserve the exodus that I hope is underway.